Analysis
-
max time kernel
21s -
max time network
24s -
platform
ubuntu-20.04_amd64 -
resource
ubuntu2004-amd64-20240221-en -
resource tags
arch:amd64arch:i386image:ubuntu2004-amd64-20240221-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system -
submitted
03-03-2024 12:52
Static task
static1
Behavioral task
behavioral1
Sample
linux_hive.elf
Resource
ubuntu2004-amd64-20240221-en
ubuntu-20.04-amd64
9 signatures
1800 seconds
General
-
Target
linux_hive.elf
-
Size
2.3MB
-
MD5
56075e7c63b3f9f612cde6187d4a7877
-
SHA1
1bcfa979b7b9044ba5ce5c006bd26b0bdbeb8464
-
SHA256
12389b8af28307fd09fe080fd89802b4e616ed4c961f464f95fdb4b3f0aaf185
-
SHA512
7df68e37b3c2e7ce197f0d8736d06adf808343fe2d638bcd3e0f285968e1365c06b33157c6e5816b9fa9362e6adc262d3d2da45d3d1a38efb7e2ce980fce8b80
-
SSDEEP
49152:TzVcrxrb/TGvO90dL3BmAFd4A64nsfJbJ5PhTZDknzImQXNqw0Xfgg778lwQJKTS:TcbP/kB30JKT
Score
10/10
Malware Config
Extracted
Path
/FVUV_HOW_TO_DECRYPT.txt
Family
hive
Ransom Note
Your network has been breached and all data were encrypted.
Personal data, financial reports and important documents are ready to disclose.
To decrypt all the data and to prevent exfiltrated files to be disclosed at
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
you will need to purchase our decryption software.
Please contact our sales department at:
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Login: FqRAvHSSJR6Z
Password: fWqzu3Kqd31FWKUvb5rq
To get an access to .onion websites download and install Tor Browser at:
https://www.torproject.org/ (Tor Browser is not related to us)
Follow the guidelines below to avoid losing your data:
- Do not modify, rename or delete *.key.mrvk3 files. Your data will be
undecryptable.
- Do not modify or rename encrypted files. You will lose them.
- Do not report to the Police, FBI, etc. They don't care about your business.
They simply won't allow you to pay. As a result you will lose everything.
- Do not hire a recovery company. They can't decrypt without the key.
They also don't care about your business. They believe that they are
good negotiators, but it is not. They usually fail. So speak for yourself.
- Do not reject to purchase. Exfiltrated files will be publicly disclosed.
URLs
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Hive
A ransomware written in Golang first seen in June 2021.
-
Deletes itself 1 IoCs
pid 1472 -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads CPU attributes 1 TTPs 17 IoCs
description ioc Process File opened for reading /sys/devices/system/cpu/vulnerabilities linux_hive.elf File opened for reading /sys/devices/system/cpu/cpu0/cache/index0 linux_hive.elf File opened for reading /sys/devices/system/cpu/cpu0/topology linux_hive.elf File opened for reading /sys/devices/system/cpu/power linux_hive.elf File opened for reading /sys/devices/system/cpu/cpu0/hotplug linux_hive.elf File opened for reading /sys/devices/system/cpu/cpu0/microcode linux_hive.elf File opened for reading /sys/devices/system/cpu/cpu0/power linux_hive.elf File opened for reading /sys/devices/system/cpu/cpuidle linux_hive.elf File opened for reading /sys/devices/system/cpu/cpu0/cache linux_hive.elf File opened for reading /sys/devices/system/cpu/cpu0/cache/index2 linux_hive.elf File opened for reading /sys/devices/system/cpu/cpu0/cache/index3 linux_hive.elf File opened for reading /sys/devices/system/cpu/hotplug linux_hive.elf File opened for reading /sys/devices/system/cpu/microcode linux_hive.elf File opened for reading /sys/devices/system/cpu/smt linux_hive.elf File opened for reading /sys/devices/system/cpu/cpu0 linux_hive.elf File opened for reading /sys/devices/system/cpu/cpu0/cache/index1 linux_hive.elf File opened for reading /sys/devices/system/cpu/cpufreq linux_hive.elf -
Reads hardware information 1 TTPs 1 IoCs
Accesses system info like serial numbers, manufacturer names etc.
description ioc Process File opened for reading /sys/devices/virtual/dmi/id/power linux_hive.elf -
Reads network interface configuration 2 TTPs 12 IoCs
Fetches information about one or more active network interfaces.
description ioc Process File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0/byte_queue_limits linux_hive.elf File opened for reading /sys/devices/virtual/net/lo/queues/tx-0 linux_hive.elf File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/rx-0 linux_hive.elf File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0 linux_hive.elf File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/statistics linux_hive.elf File opened for reading /sys/devices/virtual/net/lo/power linux_hive.elf File opened for reading /sys/devices/virtual/net/lo/queues linux_hive.elf File opened for reading /sys/devices/virtual/net/lo/queues/rx-0 linux_hive.elf File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/power linux_hive.elf File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues linux_hive.elf File opened for reading /sys/devices/virtual/net/lo/queues/tx-0/byte_queue_limits linux_hive.elf File opened for reading /sys/devices/virtual/net/lo/statistics linux_hive.elf -
Enumerates kernel/hardware configuration 1 TTPs 64 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/class/i2c-dev linux_hive.elf File opened for reading /sys/kernel/debug/tracing/events/initcall Process not Found File opened for reading /sys/kernel/slab/kmalloc-rcl-96/cgroup/kmalloc-rcl-96(1321:[email protected]) linux_hive.elf File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_alarm Process not Found File opened for reading /sys/kernel/tracing/events/syscalls/sys_enter_rt_tgsigqueueinfo Process not Found File opened for reading /sys/kernel/tracing/events/timer/hrtimer_expire_exit Process not Found File opened for reading /sys/bus/clockevents linux_hive.elf File opened for reading /sys/bus/pci/slots/20 linux_hive.elf File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_set_mempolicy Process not Found File opened for reading /sys/kernel/slab/kmalloc-4k/cgroup/kmalloc-4k(899:gvfs-mtp-volume-monitor.service) linux_hive.elf File opened for reading /sys/kernel/tracing/events/sched/sched_wakeup_new Process not Found File opened for reading /sys/kernel/slab/:A-0000080 Process not Found File opened for reading /sys/kernel/tracing/events/syscalls/sys_enter_syncfs Process not Found File opened for reading /sys/kernel/tracing/events/syscalls/sys_enter_shutdown Process not Found File opened for reading /sys/bus/platform/drivers/ramoops linux_hive.elf File opened for reading /sys/devices/virtual/vc linux_hive.elf File opened for reading /sys/fs/cgroup/pids/system.slice/dev-mqueue.mount linux_hive.elf File opened for reading /sys/kernel/debug/tracing/events/tlb/tlb_flush Process not Found File opened for reading /sys/kernel/tracing/events/hyperv linux_hive.elf File opened for reading /sys/kernel/tracing/events/syscalls/sys_enter_epoll_create Process not Found File opened for reading /sys/module/uv_nmi/parameters Process not Found File opened for reading /sys/devices/pci0000:00/pci_bus/0000:00/power linux_hive.elf File opened for reading /sys/kernel/debug/tracing/events/net/napi_gro_receive_exit Process not Found File opened for reading /sys/kernel/slab/:a-0000104/cgroup/buffer_head(1189:rsyslog.service) linux_hive.elf File opened for reading /sys/kernel/slab/anon_vma/cgroup/anon_vma(393:anacron.service) linux_hive.elf File opened for reading /sys/kernel/tracing/events/ext4/ext4_remove_blocks linux_hive.elf File opened for reading /sys/kernel/tracing/events/percpu Process not Found File opened for reading /sys/class/printer linux_hive.elf File opened for reading /sys/kernel/debug/tracing/events/ext4/ext4_es_shrink_scan_enter Process not Found File opened for reading /sys/kernel/debug/tracing/events/fib6/fib6_table_lookup Process not Found File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_eventfd Process not Found File opened for reading /sys/kernel/tracing/events/net/netif_receive_skb Process not Found File opened for reading /sys/fs/cgroup/memory/system.slice/boot-efi.mount linux_hive.elf File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_timerfd_gettime linux_hive.elf File opened for reading /sys/kernel/slab/anon_vma/cgroup/anon_vma(1093:apt-daily.service) linux_hive.elf File opened for reading /sys/kernel/slab/kmalloc-512/cgroup/kmalloc-512(1383:systemd-localed.service) linux_hive.elf File opened for reading /sys/kernel Process not Found File opened for reading /sys/kernel/slab/kmalloc-192/cgroup linux_hive.elf File opened for reading /sys/kernel/slab/sock_inode_cache/cgroup/sock_inode_cache(1383:systemd-localed.service) linux_hive.elf File opened for reading /sys/devices/pci0000:00/0000:00:01.1/ata1/link1/dev1.1/ata_device linux_hive.elf File opened for reading /sys/kernel/slab/:A-0000080/cgroup/task_delay_info(377:acpid.service) Process not Found File opened for reading /sys/kernel/slab/kmalloc-512/cgroup/kmalloc-512(1263:whoopsie.service) linux_hive.elf File opened for reading /sys/devices/system/memory/memory15/power linux_hive.elf File opened for reading /sys/kernel/debug/tracing/events/xhci-hcd/xhci_urb_dequeue Process not Found File opened for reading /sys/kernel/slab/:A-0004800/cgroup linux_hive.elf File opened for reading /sys/kernel/slab/dentry/cgroup/dentry(473:gpu-manager.service) linux_hive.elf File opened for reading /sys/kernel/tracing/events/syscalls/sys_enter_capget Process not Found File opened for reading /sys/bus/pci/drivers/ehci-pci linux_hive.elf File opened for reading /sys/devices/virtual/tty/tty39 linux_hive.elf File opened for reading /sys/fs/cgroup/systemd/user.slice/user-0.slice/[email protected]/gvfs-metadata.service linux_hive.elf File opened for reading /sys/kernel/slab/:A-0001088/cgroup/UNIX(905:gvfs-gphoto2-volume-monitor.service) linux_hive.elf File opened for reading /sys/kernel/tracing/events/regmap/regcache_sync Process not Found File opened for reading /sys/devices/virtual/bdi/252:0/power linux_hive.elf File opened for reading /sys/kernel/debug/tracing/events/net/netif_receive_skb_exit Process not Found File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_ioprio_get Process not Found File opened for reading /sys/kernel/slab/mm_struct/cgroup/mm_struct(899:gvfs-mtp-volume-monitor.service) linux_hive.elf File opened for reading /sys/devices/pci0000:00/0000:00:04.0/ata5/ata_port linux_hive.elf File opened for reading /sys/devices/platform/floppy.0/block/fd0 linux_hive.elf File opened for reading /sys/kernel/slab/:A-0000080/cgroup/task_delay_info(1321:[email protected]) Process not Found File opened for reading /sys/kernel/slab/:A-0000256/cgroup/filp(911:gvfs-goa-volume-monitor.service) linux_hive.elf File opened for reading /sys/kernel/tracing/events/sched/sched_process_exec Process not Found File opened for reading /sys/kernel/tracing/events/syscalls/sys_exit_clock_nanosleep Process not Found File opened for reading /sys/kernel/tracing/events/syscalls/sys_exit_sched_get_priority_max Process not Found File opened for reading /sys/kernel/debug/tracing/events/power/clock_enable Process not Found -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/90/task/90/fd Process not Found File opened for reading /proc/618/attr/smack linux_hive.elf File opened for reading /proc/1448 Process not Found File opened for reading /proc/201/attr/smack Process not Found File opened for reading /proc/445/task/445/net linux_hive.elf File opened for reading /proc/75/net/stat linux_hive.elf File opened for reading /proc/952/attr/smack Process not Found File opened for reading /proc/1479/attr/smack Process not Found File opened for reading /proc/1412/task Process not Found File opened for reading /proc/tty Process not Found File opened for reading /proc/1/task/1/ns linux_hive.elf File opened for reading /proc/270/task linux_hive.elf File opened for reading /proc/10/map_files linux_hive.elf File opened for reading /proc/1505/task/1505/attr/apparmor Process not Found File opened for reading /proc/1829/task/1829/attr Process not Found File opened for reading /proc/22/task/22/net/stat Process not Found File opened for reading /proc/564 linux_hive.elf File opened for reading /proc/617/net linux_hive.elf File opened for reading /proc/662/task/662/attr linux_hive.elf File opened for reading /proc/85/net/stat Process not Found File opened for reading /proc/1479/task/1479/ns Process not Found File opened for reading /proc/1440/net/stat Process not Found File opened for reading /proc/1478/ns Process not Found File opened for reading /proc/160 Process not Found File opened for reading /proc/768/task/768/net/stat linux_hive.elf File opened for reading /proc/810/task/821/attr Process not Found File opened for reading /proc/810/task/822/attr/smack Process not Found File opened for reading /proc/90/task/90/attr/apparmor Process not Found File opened for reading /proc/1415/task/1415/fd Process not Found File opened for reading /proc/1048/task/1050/attr/smack linux_hive.elf File opened for reading /proc/18/task/18/attr/smack Process not Found File opened for reading /proc/19/net/netfilter Process not Found File opened for reading /proc/24/fd linux_hive.elf File opened for reading /proc/404/task/405/attr/smack linux_hive.elf File opened for reading /proc/5/attr/apparmor linux_hive.elf File opened for reading /proc/5/net/netfilter linux_hive.elf File opened for reading /proc/1/task/1/attr/apparmor linux_hive.elf File opened for reading /proc/815/task/817/net/stat Process not Found File opened for reading /proc/88/attr/smack Process not Found File opened for reading /proc/70 linux_hive.elf File opened for reading /proc/1409/task/1409/attr Process not Found File opened for reading /proc/1435/attr/smack Process not Found File opened for reading /proc/1440/attr Process not Found File opened for reading /proc/3/attr/smack linux_hive.elf File opened for reading /proc/3/net/netfilter linux_hive.elf File opened for reading /proc/459 linux_hive.elf File opened for reading /proc/72/attr/apparmor linux_hive.elf File opened for reading /proc/11/task/11/net/dev_snmp6 linux_hive.elf File opened for reading /proc/1822/task/1836/attr Process not Found File opened for reading /proc/23/task/23/fdinfo Process not Found File opened for reading /proc/163/task/163/fd Process not Found File opened for reading /proc/175/task/175/attr/smack Process not Found File opened for reading /proc/1879/fd Process not Found File opened for reading /proc/810/task/824/net/dev_snmp6 Process not Found File opened for reading /proc/1448/net Process not Found File opened for reading /proc/176/attr Process not Found File opened for reading /proc/404/attr linux_hive.elf File opened for reading /proc/458/task/458/attr linux_hive.elf File opened for reading /proc/785/task/787/net/netfilter linux_hive.elf File opened for reading /proc/1061/task/1063/net linux_hive.elf File opened for reading /proc/78/attr linux_hive.elf File opened for reading /proc/790/ns linux_hive.elf File opened for reading /proc/85/task/85/net/stat Process not Found File opened for reading /proc/964/task/965/net/stat Process not Found -
Writes file to tmp directory 7 IoCs
Malware often drops required files in the /tmp directory.
description ioc File opened for modification /tmp/apt.data.EXJ7kD.fLRc4FvNpND2-X2GIeaRU-RZioMm9pu9ejSAnSrQ5Zb_PdHmmd_R6ys0.mrvk3 File opened for modification /tmp/apt.sig.2AulkR.fLRc4FvNpND2-X2GIeaRU-RZioMm9pu9ejSAnSrQ5Zb_m0Ic38ucD040.mrvk3 File opened for modification /tmp/apt.sig.hWdHoB.fLRc4FvNpND2-X2GIeaRU-RZioMm9pu9ejSAnSrQ5Zb_e1cdqljLKb40.mrvk3 File opened for modification /tmp/config-err-nk3c1O.fLRc4FvNpND2-X2GIeaRU-RZioMm9pu9ejSAnSrQ5Zb_KkZnuxH1Q4o0.mrvk3 File opened for modification /tmp/apt.conf.H3M73Q.fLRc4FvNpND2-X2GIeaRU-RZioMm9pu9ejSAnSrQ5Zb_VqC_zBO5vQs0.mrvk3 File opened for modification /tmp/apt.conf.JCFdaF.fLRc4FvNpND2-X2GIeaRU-RZioMm9pu9ejSAnSrQ5Zb_ALL6neAxslU0.mrvk3 File opened for modification /tmp/apt.data.AtgHsS.fLRc4FvNpND2-X2GIeaRU-RZioMm9pu9ejSAnSrQ5Zb_tIrCDcwmNSQ0.mrvk3
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD588cb43b9893d9559fcd7c2ff92198346
SHA110f5b6704bf62d54b6928456dfd5127fcb16a936
SHA25636b00b82b942515e84d145a88bc7bbe9f59773bd8e3c4d9639dd2e3ffc4bb2e6
SHA51248f7b52fa640ac38a8a0e2216c0cfd848ef704c23cd59723b7fb0f5e83da455ff75701a40e8ede99156cdfc8aef0ec6246de0d4afd7fdbe21051bef1eed63224
-
Filesize
1.2MB
MD5e3bdddfb23369bd6da22e86ca23ec5cf
SHA180126912b5be4be9cce1c7717b102ca10a863b81
SHA256d3c35dc042d17717154bca5a47478304589db2ccec2ab3c896c59af2a0d775ea
SHA512d3b6f70c7ca453c883c74867acb3121a0f2c0991773cf13b02ff0666e4411675529f0b6217187517c6a6cddd14870a1c5d1294868b35e2d72b282260b3510c6b